Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Darktrace Model Breach

Back
Ida3c7b8ed-56a9-47b7-98e5-2555c16e17c9
RulenameDarktrace Model Breach
DescriptionThis rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.
SeverityMedium
Required data connectorsDarktraceRESTConnector
KindNRT
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
Version1.0.0
Arm templatea3c7b8ed-56a9-47b7-98e5-2555c16e17c9.json
Deploy To Azure
darktrace_model_alerts_CL
| where dtProduct_s =="Policy Breach"
| extend EventCount = 1
| extend EventType = "NetworkSession"
| extend EventSchema = "NetworkSession"
| extend EventSchemaVersion = "0.2.2"
| extend EventResult = "Success"
| extend DvcAction = "Allow"
| project-rename EventSeverity=score_d
| extend EventVendor = "Darktrace"
| extend EventProduct = "Enterprise Immune System"
| project-rename  EventStartTime = breachTime_s
| extend EventEndTime = EventStartTime
| project-rename NetworkRuleName=modelName_s
| project-rename NetworkRuleNumber=pid_d
| extend Rule = "NetworkRuleNumber"
| project-rename ThreatId=threatID_d
| extend ThreatName = NetworkRuleName
| project-rename ThreatCategory=dtProduct_s
| extend ThreatRiskLevel=EventSeverity
| extend ThreatCategory=Category
| extend ThreatCategory=replace_regex(ThreatCategory, @'Informational', @'Low')
| extend ThreatCategory=replace_regex(ThreatCategory, @'Compliance', @'Informational')
| extend ThreatCategory=replace_regex(ThreatCategory, @'Suspicious', @'Medium')
| extend ThreatCategory=replace_regex(ThreatCategory, @'Critical', @'High')
| project-rename SrcIpAddr=SourceIP
| project-rename SrcHostname=sourceHost_s
| project-rename SrcMacAddr=sourceMac_s
| project-rename SrcPortNumber=sourcePort_s
| project-rename DstIpAddr=destIP_s
| project-rename DstPortNumber=destPort_s
| project-rename DstHostname=destHost_s
| project-rename DstMacAddr=destMac_s
queryFrequency: 5m
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SrcHostname
    identifier: HostName
- entityType: IP
  fieldMappings:
  - columnName: SrcIPAddr
    identifier: Address
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
relevantTechniques: 
query: |
  darktrace_model_alerts_CL
  | where dtProduct_s =="Policy Breach"
  | extend EventCount = 1
  | extend EventType = "NetworkSession"
  | extend EventSchema = "NetworkSession"
  | extend EventSchemaVersion = "0.2.2"
  | extend EventResult = "Success"
  | extend DvcAction = "Allow"
  | project-rename EventSeverity=score_d
  | extend EventVendor = "Darktrace"
  | extend EventProduct = "Enterprise Immune System"
  | project-rename  EventStartTime = breachTime_s
  | extend EventEndTime = EventStartTime
  | project-rename NetworkRuleName=modelName_s
  | project-rename NetworkRuleNumber=pid_d
  | extend Rule = "NetworkRuleNumber"
  | project-rename ThreatId=threatID_d
  | extend ThreatName = NetworkRuleName
  | project-rename ThreatCategory=dtProduct_s
  | extend ThreatRiskLevel=EventSeverity
  | extend ThreatCategory=Category
  | extend ThreatCategory=replace_regex(ThreatCategory, @'Informational', @'Low')
  | extend ThreatCategory=replace_regex(ThreatCategory, @'Compliance', @'Informational')
  | extend ThreatCategory=replace_regex(ThreatCategory, @'Suspicious', @'Medium')
  | extend ThreatCategory=replace_regex(ThreatCategory, @'Critical', @'High')
  | project-rename SrcIpAddr=SourceIP
  | project-rename SrcHostname=sourceHost_s
  | project-rename SrcMacAddr=sourceMac_s
  | project-rename SrcPortNumber=sourcePort_s
  | project-rename DstIpAddr=destIP_s
  | project-rename DstPortNumber=destPort_s
  | project-rename DstHostname=destHost_s
  | project-rename DstMacAddr=destMac_s  
id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9
triggerOperator: gt
version: 1.0.0
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  SrcMacAddr: SrcMacAddr
  EventTitle: NetworkRuleName
  EventStartTime: EventStartTime
  DstHostname: DstHostname
  EventSeverity: EventSeverity
  EventID: ThreatId
  DstIpAddr: DstIpAddr
  EventMessage: Message
description: |
    'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'
queryPeriod: 5m
alertDetailsOverride:
  alertSeverityColumnName: ThreatCategory
  alertDescriptionFormat: '{{description_s}}'
  alertTacticsColumnName: 
  alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
requiredDataConnectors:
- connectorId: DarktraceRESTConnector
  dataTypes:
  - darktrace_model_alerts_CL
name: Darktrace Model Breach
tactics: 
kind: NRT
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Nrt",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Darktrace Model Breach",
        "description": "'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"Policy Breach\"\n| extend EventCount = 1\n| extend EventType = \"NetworkSession\"\n| extend EventSchema = \"NetworkSession\"\n| extend EventSchemaVersion = \"0.2.2\"\n| extend EventResult = \"Success\"\n| extend DvcAction = \"Allow\"\n| project-rename EventSeverity=score_d\n| extend EventVendor = \"Darktrace\"\n| extend EventProduct = \"Enterprise Immune System\"\n| project-rename  EventStartTime = breachTime_s\n| extend EventEndTime = EventStartTime\n| project-rename NetworkRuleName=modelName_s\n| project-rename NetworkRuleNumber=pid_d\n| extend Rule = \"NetworkRuleNumber\"\n| project-rename ThreatId=threatID_d\n| extend ThreatName = NetworkRuleName\n| project-rename ThreatCategory=dtProduct_s\n| extend ThreatRiskLevel=EventSeverity\n| extend ThreatCategory=Category\n| extend ThreatCategory=replace_regex(ThreatCategory, @'Informational', @'Low')\n| extend ThreatCategory=replace_regex(ThreatCategory, @'Compliance', @'Informational')\n| extend ThreatCategory=replace_regex(ThreatCategory, @'Suspicious', @'Medium')\n| extend ThreatCategory=replace_regex(ThreatCategory, @'Critical', @'High')\n| project-rename SrcIpAddr=SourceIP\n| project-rename SrcHostname=sourceHost_s\n| project-rename SrcMacAddr=sourceMac_s\n| project-rename SrcPortNumber=sourcePort_s\n| project-rename DstIpAddr=destIP_s\n| project-rename DstPortNumber=destPort_s\n| project-rename DstHostname=destHost_s\n| project-rename DstMacAddr=destMac_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "alertRuleTemplateName": "a3c7b8ed-56a9-47b7-98e5-2555c16e17c9",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertSeverityColumnName": "ThreatCategory",
          "alertDisplayNameFormat": "Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}",
          "alertTacticsColumnName": null,
          "alertDescriptionFormat": "{{description_s}}"
        },
        "customDetails": {
          "SrcMacAddr": "SrcMacAddr",
          "EventTitle": "NetworkRuleName",
          "EventStartTime": "EventStartTime",
          "DstHostname": "DstHostname",
          "EventSeverity": "EventSeverity",
          "EventID": "ThreatId",
          "DstIpAddr": "DstIpAddr",
          "EventMessage": "Message"
        },
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "SrcHostname"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "SrcIPAddr"
              }
            ]
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml"
      }
    }
  ]
}